Rabobank

Speeding software development and protecting data privacy

How do you provide developers with rapid, realistic test data when data privacy regulations are stricter than ever? Working with IBM, Rabobank harnesses automation to accelerate test data delivery from weeks to days—speeding up development cycles—and employs powerful pseudonymization techniques to keep sensitive data private and secure.

Higher-quality

Manages

Business challenge story

Maintaining the pace of innovation

Changing technology, regulations and customer expectations are transforming financial services—requiring firms to become more agile and open while also maintaining tight security and data privacy. To thrive in this fast-moving world, Rabobank is constantly working to enhance its banking systems and improve the customer experience.

To keep up with demands from both customers and internal teams, Rabobank must develop, maintain, update and launch new software applications quickly. And to make sure that these solutions perform as expected in production, it is vital for development teams to use data which is as close as possible to production during the testing phase. To support these efforts, Rabobank launched the Radical Automation program several years ago to help accelerate software development processes.

Peter Claassen, Delivery Manager of the Radical Automation team within Payment Solutions at Rabobank, elaborates: “Our goal is to make the end-to-end development process more efficient and flexible, so that we can develop, iterate and deploy solutions faster and with higher quality. Testing was one of the key areas that we targeted for automation and test data is an important part of testing —we wanted a quick, consistent way to extract data from production environments, pseudonymize it across databases and load it into test and development environments.”

When the General Data Protection Regulation (GDPR) came into force in May 2018, it brought an added layer of complexity to test data management. To comply with the strict rules around processing personal information, it became all the more important for Rabobank to make sure that production data was pseudonymized effectively before it was used for testing.

Transformation story

Taking testing to the next level

Rabobank embarked on a pioneering initiative with IBM to streamline test data management and data pseudonymization. As a starting point, Rabobank performed an extensive proof-of-concept with IBM® InfoSphere® Optim™ Test Data Management software. This evolved into a wider pilot program, which saw the bank collaborate with IBM® Services™ and IBM Research – Zurich to augment its data pseudonymization capabilities with a cryptographic desensitization engine called IBM HADES.

The result of this multi-year journey is the Test Data Factory, which has now been in production at Rabobank since mid-2017. The bank first extracts records from production databases and moves them into a “desensitized zone” in the Test Data Factory. It then harnesses IBM InfoSphere Information Analyzer software to identify and classify any personal information, using IBM InfoSphere Information Governance Catalog software to store these data classifications.

Next, Rabobank uses InfoSphere Optim Test Data Management software together with the HADES solution to cryptographically transform this personal information into a desensitized representation. The technology achieves pseudonymization by converting the data into individual hash-based token keys which are impermeable. Once desensitized, Rabobank loads the data into a separate database and uses InfoSphere Optim Test Data Management to create subsets of this “golden copy,” which it then loads into test environments, ready for use by development teams.

Rabobank continues to work closely with IBM to refine the Test Data Factory. The bank is currently testing IBM InfoSphere DataStage® software, which it plans to introduce as the platform’s core data integration and management engine in the future.

Peter Claassen says: “We are breaking new ground with the Test Data Factory project and it hasn’t always been an easy road. We have overcome many unknowns and challenges to reach where we are today, and have dedicated considerable time and effort to refining the different components of this solution. As we’ve progressed on this journey, I think one of the highlights has been the relationship we have built with IBM. It has been a truly collaborative effort—we can come to the IBM team with our ideas and issues, have useful discussions and agree on a plan for moving forward.”

Rabobank primarily uses the Test Data Factory to support testing and development work in its payments business. In addition, the bank is working on a pilot project for customer relationship management system testing, and is exploring other use cases for the solution beyond testing.

“We have deliberately designed the Test Data Factory to be as generic as possible, so that we can re-use it in different parts of the business,” remarks Peter Claassen. “We want to align with more teams and expand as much as we can—we believe that a solution like this has the potential to bring efficiencies to many functional areas and support more agile ways of working.”

“Being able to test and iterate faster—using realistic, desensitized data across multiple applications—allows our teams to deliver leading-edge solutions that help our business run better and that bring greater security and convenience to our customers.”

Results story

Enhanced compliance, faster development

Today, Rabobank can effectively pseudonymize terabytes of sensitive data without impacting the integrity or quality of test datasets. As a result, the bank has minimized the risk of sensitive information being inadvertently exposed through testing, helping keep customer data secure and meeting regulatory obligations.

“The combination of IBM HADES and IBM InfoSphere solutions delivers strong encryption power and data management capabilities—a compelling proposition when it comes to data pseudonymization,” notes Peter Claassen. “With the ability to properly desensitize test data, we can reduce the risk of exposing private information, enabling us to keep client data secure and maintain compliance with regulations such as the GDPR.”

In addition, by bringing greater efficiency to test data management processes, Rabobank is accelerating development cycles and empowering its teams to bring new solutions to market faster.

Peter Claassen explains: “The Test Data Factory helps reduce the time taken to create new testing and development environments. Whereas in the past, it could take weeks to prepare datasets for performance tests, we can now have that data ready in days. And if new iterations are required, our teams can typically complete them in just a few hours because the test data is readily available, properly structured and of good quality.

“This kind of agility is very important in an area like payments, where performance is a top priority. If we’re launching a new functionality, mobile app, feature or compliancy changes, we must test it thoroughly and quickly too, as we don’t want to lose any momentum going to market. By maintaining high levels of quality and speed in the testing process, we can more easily keep pace with the demands of the business, the market and our regulators.”

Similarly, a more automated approach to testing enables development teams to work more productively by reducing error rates and repetitive work. Ultimately, this helps Rabobank drive higher-quality and more cost-effective development.

“The Test Data Factory makes life much easier for our teams,” confirms Peter Claassen. “We’re generating terabytes of higher-quality data for testing, which means fewer errors and less rework. We’ve also been able to automate more of the routine tasks around test data management. All of this means that testing teams spend less time on dull, repetitive tasks and can deliver more functionality in less time. In turn, that creates financial benefits as we can dedicate fewer resources to testing and more to value-add tasks.”

He concludes: “The work we are doing around test automation and data pseudonymization, including the complexity and amount of data, is quite innovative, and I think it puts us ahead of the industry curve. Being able to test and iterate faster—using realistic, desensitized data across multiple applications—allows our teams to deliver leading-edge solutions that help our business run better and that bring greater security and convenience to our customers.”

About Rabobank

Rabobank is a multinational banking and financial services company headquartered in Utrecht, Netherlands. With operations in 40 countries across Europe, North America and Australia, Rabobank serves approximately 10 million customers and employs more than 40,000 people worldwide.

Solution components

Take the next step

IBM offers a comprehensive, scalable Unified Governance and Integration platform and solutions—available on premises, on cloud and hybrid environments—successfully delivering trusted data for insights and compliance to businesses, governments and individuals. Learn more about Unified Governance and Integration at ibm.com/unified-governance-integration. Follow us on Twitter at @IBMAnalytics, on our blog at ibmbigdatahub.com and join the conversation #IBMUGI.

IBM, the IBM logo, ibm.com, DataStage, InfoSphere and Optim are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml.

The content in this document (including currency OR pricing references which exclude applicable taxes) is current as of the initial date of publication and may be changed by IBM at any time.

Not all offerings are available in every country in which IBM operates.

All client examples cited or described are presented as illustrations of the manner in which some clients have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics will vary depending on individual client configurations and conditions. Contact IBM to see what we can do for you.

The client is responsible for ensuring compliance with laws and regulations applicable to it. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the client is in compliance with any law or regulation.